Claw field notebook
last updated 2026-05-14 edit on GitHub colophon
Anthropic / Claude Code / CC.4 · 4 min read

Auth — login, API key, or Bedrock/Vertex

Three ways to authenticate Claude Code — claude.ai subscription login (easiest), Anthropic Console API key (pay-as-you-go), or third-party provider via Bedrock or Vertex (enterprise / governance). Pros, cons, where credentials live.

The three paths at a glance#

PathWhen to useCost modelSetup time
Subscription loginYou use Claude daily and have a Pro / Max / Team accountFlat monthly fee · most predictable30 seconds
API keyYou want pay-as-you-go OR you’re scripting Claude Code for CI / automationPer-token · cheap for light use · expensive for heavy2 minutes
Bedrock or VertexYour org requires the call to go through AWS or Google Cloud (compliance / billing reasons)Cloud’s per-token rate · billed via your cloud account10 minutes + cloud setup

You can switch between paths by setting environment variables — they’re not exclusive. Many people log in with a subscription locally and override to an API key for scripted CI runs.

Path 1 — Subscription login (the easy one)#

If you have a Claude Pro / Max / Team / Enterprise subscription, this is the simplest. From any directory:

claude

On first launch, it opens a browser to claude.ai. You sign in (or pick the account you’re already in), confirm the device, and the CLI gets a token. Token storage varies by platform:

  • macOS: stored in the encrypted system Keychain (no plaintext file on disk)
  • Linux: stored at ~/.claude/.credentials.json (note the leading dot on the filename) with file mode 0600
  • Windows: stored at %USERPROFILE%\.claude\.credentials.json

Why this matters: subscription tokens inherit your tier’s rate limits. Pro is roughly “individual daily use,” Max is “all-day heavy use,” Team adds shared billing + per-seat. If you hit the weekly cap mid-task, you wait — the CLI tells you when the reset is.

Switching accounts#

claude logout
claude   # opens the browser again

What the token can do#

Anything your subscription can — chat, edit files in projects, call MCP servers, use Computer Use (if your account has access). It cannot transfer to other tools — the token is scoped to Claude Code.

Path 2 — Anthropic Console API key#

For pay-as-you-go billing or CI/scripting.

  1. Sign in to console.anthropic.com.

  2. Workspaces → API Keys → Create Key. Give it a name like claude-code-laptop.

  3. Copy the key (starts with sk-ant-...). You’ll see it once — copy now or you’ll have to rotate.

  4. Set it as an environment variable:

    # macOS / Linux — add to ~/.zshrc or ~/.bashrc
    export ANTHROPIC_API_KEY=sk-ant-...
    
    # Windows PowerShell — persistent
    [Environment]::SetEnvironmentVariable("ANTHROPIC_API_KEY", "sk-ant-...", "User")
  5. Restart your shell. Run claude — it’ll detect the env var and skip the browser login.

What the key can do#

Everything the API can do, billed against the credit balance on the Console workspace the key belongs to. Set a billing cap in Console → Workspace Settings → Spend Limits. Without one, an over-eager agent loop can burn through real money fast.

Rotating#

# In Console: revoke the old key, create a new one
export ANTHROPIC_API_KEY=sk-ant-NEW...
# Update your shell config so it persists

⚠️ Never commit sk-ant-... to a repo. Add .env* to .gitignore. If a key leaks, revoke it in Console immediately — it’s a billable credential.

Path 3 — Third-party provider (Bedrock or Vertex)#

If your organisation requires Claude calls to go through AWS Bedrock or Google Vertex (for governance, billing, or data-residency reasons), Claude Code supports both as drop-in replacements for the direct API.

Amazon Bedrock#

export CLAUDE_CODE_USE_BEDROCK=1
export AWS_REGION=us-east-1
# Standard AWS credentials picked up from ~/.aws or env vars

You need:

  • AWS credentials with permission to call Bedrock model invocations (bedrock:InvokeModel, bedrock:InvokeModelWithResponseStream)
  • The Claude models you want to use enabled in your AWS account (Bedrock → Model access)
  • A region that has the model you need (US East and US West have the broadest coverage)

Pricing follows AWS Bedrock’s per-token rate (typically a slight premium over Anthropic direct). Billing goes through your AWS account.

Google Vertex AI#

export CLAUDE_CODE_USE_VERTEX=1
export CLOUD_ML_REGION=us-central1
export ANTHROPIC_VERTEX_PROJECT_ID=your-gcp-project-id
# Standard gcloud auth: gcloud auth application-default login

You need:

  • A GCP project with the Vertex AI API enabled
  • Claude models enabled in Vertex Model Garden
  • ADC (application default credentials) set up via gcloud auth application-default login

Pricing follows Vertex’s per-token rate. Billing goes through your GCP account.

Why pick a third-party provider#

  • Compliance: your security team requires LLM calls through a cloud they’ve already audited.
  • Billing consolidation: Anthropic calls land on the same invoice as the rest of your cloud spend.
  • Existing private networking: you’ve already set up Bedrock/Vertex VPC endpoints; Claude Code rides on top.

Why NOT to pick a third-party provider#

  • Lag. New Anthropic models reach the direct API first; Bedrock + Vertex catch up days-to-weeks later.
  • Slightly more expensive per token on average.
  • Feature gaps. Some surfaces (e.g. the newest Computer Use beta tools) may not be available through Bedrock / Vertex yet.

For personal projects: don’t bother. For org work: probably worth it for the audit trail alone.

Where credentials live (summary)#

PathStorage
Subscription~/.claude/credentials.json (encrypted on macOS)
API keyANTHROPIC_API_KEY env var (shell config)
Bedrock~/.aws/credentials + CLAUDE_CODE_USE_BEDROCK=1 env var
Vertexgcloud ADC + CLAUDE_CODE_USE_VERTEX=1 + project env vars

Common pitfalls#

SymptomLikely causeFix
Browser login redirects to white screenMultiple Claude accounts — wrong one selectedOpen claude.ai in same browser, sign in correctly, retry claude
API key set but Claude still asks to log inEnv var not exported in current shellecho $ANTHROPIC_API_KEY to confirm; reopen shell if blank
Bedrock returns “AccessDeniedException”Model not enabled in your AWS regionBedrock → Model access → enable Claude
Vertex returns “PERMISSION_DENIED”ADC pointing at wrong projectgcloud config get-value project, verify against ANTHROPIC_VERTEX_PROJECT_ID
Subscription token “expired” mid-sessionRefresh token revoked (account password change, security event)claude logout + claude to re-login

What to do next#

Sources